Upgrading ASL

From Atomicorp Wiki
Revision as of 16:51, 16 June 2014 by Mshinn (Talk | contribs)

Jump to: navigation, search

Contents

General Upgrade instructions

This section applies to all upgrades.

Run commands as the root user

When upgrading ASL, run all upgrade commands as the root user. Do not use sudo to run these commands.

Pre-requisites

Always check to make sure that your system meets the pre-requisites for ASL before upgrading. You can access the latest requirements for ASL on the ASL prerequisites page.

Updates

Ensure that your system has all of your OS vendors updates installed. ASL is tested against the latest versions of vendors OSes, and may require updated software from your vendor to work correctly and securely.

Release Notes

Each release includes Release Notes. We highly recommend you review the release notes before upgrading.

Test Environment

We recommend that you test all ASL upgrades on a test system before deploying an ASL update into a production environment. For this reason, all ASL licensees come with a free QA and development licensee so you can test out all ASL updates.

Version Specific Upgrade Instructions

ASL 4.0

Release Notes

Please see the Atomic_Secured_Linux#ASL_4.0_Release_Notes page.

Upgrading

From 4.0 to 4.0.x

Run the following commands as root:


Step 1)

aum -u

Step 2)

asl -s -f

Note: It is recommended that you clear your yum cache if you encounter any errors on upgrade:

yum clean all

Note: Do not use yum to upgrade ASL or its components, always use "aum".

From 3.2 to 4.0

ASL 4.0 uses the ASL installer to upgrade from 3.2 to 4.0. See the unattended installs article for advanced instructions for unattended installations.

You can upgrade ASL by following these steps:

Step 1) Become the root user

As the root user, run step 2 below. Do not use "sudo" to run these commands.

Use this command to become root:

su -

Step 2) Run the installer

Cut and paste the command below, and run this command as root:

wget -q -O - https://www.atomicorp.com/installers/asl |sh

Follow the instructions in the installer being sure to answer the configuration questions appropriately for your system.

Note: You must have a version of wget installed that supports HTTPS to install ASL, as described on the ASL prerequisites page.

If you do not get any output from the installation command it is likely wget on your system was replaced with a crippled version that does not support SSL. Please see this article to test if your wget supports SSL if you are unsure:

https://www.atomicorp.com/wiki/index.php/ASL_prerequisites#wget

Step 3) Reinstall the ASL database

During installation, when asked if you want to reinstall the ASL database, answer yes. ASL4 has a new database schema that is faster, and reinstallation of the database is required.

ASL 3.2

Release Notes

Please see the Atomic_Secured_Linux#ASL_3.2_Release_Notes page.

Upgrading

ASL 3.2 uses the internal upgrade management system in ASL. You can upgrade ASL by following these steps:

Step 1)

As the root user, run through Steps 2-4 below. Do not use "sudo" to run these commands.

Step 2)

Check to make sure you have ASL set to upgrade itself:

Check the file /etc/asl/config to ensure that UPDATE_TYPE is set to "all".

Step 3)

/var/asl/bin/aum -uf

Note: If you have changed UPDATE_TYPE to "rules-only", you must change this to "all" temporarily to manually upgrade ASL. If you do not wish to upgrade the kernel, you can set this temporarily to "Exclude-kernel".

Step 4)

yum upgrade mod_security tortix-waf

Step 5)

/var/asl/bin/asl -s -f

Automatic Upgrade

Check to make sure you have ASL set to upgrade itself:

Check the file /etc/asl/config to ensure that UPDATE_TYPE is set to "all".

If this is set to "all", ASL will automatically upgrade itself based on your upgrade configuration, which is by default to check for updates daily. You can change this to hourly if you wish the system to check more often, or you can force an upgrade by following the steps below.

Notes for 3.2 Upgrades

Cpanel

Do not enable modsecurity in cpanel, and do not use cpanel to upgrade or install modsecurity. CPanel does not use the latest version of modsecurity, and ASL is only tested and supported with the latest version supplied by ASL. ASL will automatically upgrade modsecurity if necessary.

Enabling modsecurity in cpanel will replace modsecurity with an older, and incompatible version and is not supported. This will likely also break your modsecurity configuration, as CPanel does not include all of the patches and enhancements in modsecurity that ASL comes with.

Version Check

In addition to the release notes referenced above, you can check to see if you are running 3.2 by running this command as root:

asl -v

You should see an output similar to this:

ASL Version 3.2.1-0.10.el5.art: CentOS 6 (SUPPORTED)

The "Centos 6" element will vary depending on your OS. If you see "UNSUPPORTED", you either not running the latest version of 3.2, or your OS may not be supported. The current list of OSes supported is documented on the Supported_Platforms_for_ASL wiki page.

If your OS is supported, and the upgrade is failing, this is more than likely caused by yums cache requiring a flush. Run this command as root to flush the cache:

yum clean all

And then try the upgrade again.

ASL 3.0

ASL 3.0 uses the internal upgrade management system in ASL. You can upgrade ASL by following these steps:

Automatic Upgrade

Check to make sure you have ASL set to upgrade itself:

Check the file /etc/asl/config to ensure that UPDATE_TYPE is set to "all".

If this is set to "all", ASL will automatically upgrade itself based on your upgrade configuration, which is by default to check for updates daily. You can change this to hourly if you wish the system to check more often, or you can force an upgrade by following the steps below.

Force an upgrade if you have automatic upgrades configured

Force update step 1

Run this command as root:

asl -uf

Force update step 2

Set the new security policy, by running this command as root:

asl -s -f

This configures all of the ASL updates for your unique system. This command is perfectly safe to run at any time, even if you have not upgraded any ASL components.

Please see the release notes, which include additional information when upgrading from 2.2 to 3.0:

Atomic_Secured_Linux#ASL_3.0_Release_Notes

Manual Upgrade if you do not have have automatic upgrades configured

If you do not want your system to automatically upgrade ASL, change the setting in the ASL configuration UPDATE_TYPE to your needs. The "all" setting tells ASL to upgrade itself.

To upgrade manually you will then need to run these commands (run them as root):

Step 1) yum upgrade asl asl-web mod_security kernel

Note: If you have a PAE kernel installed, you will need to replace "kernel" with "kernel-PAE".

Step 2) asl -uf

Step 3) asl -s -f

Step 4) Please see the release notes, which includes additional information when upgrading from 2.2 to 3.0:

Atomic_Secured_Linux#ASL_3.0_Release_Notes

Notes for 3.0 Upgrades

In addition to the release notes referenced above, you can check to see if you are running 3.0 by running this command as root:

asl -v

You should see an output similar to this:

ASL Version 3.0: CentOS 5 (SUPPORTED)

The "Centos 5" element will vary depending on your OS. If you see "UNSUPPORTED", you either not running the latest version of 3.0, or your OS may not be supported. The current list of OSes supported is documented on the Supported_Platforms_for_ASL wiki page.

If your OS is supported, and the upgrade is failing, this is more than likely caused by yums cache requiring a flush. Run this command as root to flush the cache:

yum clean all

And then try the upgrade again.

ASL 2.2

ASL 2.2 uses the RPM package management system. You can upgrade ASL by using the following command:

yum upgrade

When you have completed upgrading any component of ASL you must run this command to finish configuring your system:

asl -s -f

This configures all of the ASL updates for your unique system. This command is perfectly safe to run at any time even if you have not upgraded any ASL components.

Automatic Upgrade system

Since version 2.1, ASL has the ability to automatically update itself. This is configurable from the ASL GUI. The option in the GUI is: UPDATE_TYPE. There are three modes:

  • all - This will configure ASL to automatically upgrade all of its components, including the rules. This is the most secure option.
  • exclude-kernel - This will configure ASL to upgrade all of its components, including the rules, but will not upgrade the kernel. This is the second most secure option.
  • rules-only - This option will configure ASL to only keep the rules up to date. This is the least secure option.

You can also configure the frequency at which ASL checks for updates by configuring the AUTOMATIC_UPDATES setting in the GUI. You can configure ASL to check for updates:

  • daily
  • hourly
  • none

We recommend that users test all upgrades on a test system before deploying to a production system.

Yum

Do not use yum to upgrade ASL. The ASL upgrader, aum, is the only supported method for upgrading ASL.

Personal tools